cargo-auditable and Debian

[Sergey Davidoff <shnatsel@gmail.com>]

Hi everyone,

I'm the maintainer of https://github.com/rust-secure-code/cargo-auditable which embeds the list of dependencies into compiled Rust binaries.

Alexander Kjall has experimented with using it to complement or replace dh-cargo-built-using, but it wasn't up to scratch back then. I just wanted to let you know that I've cleared the technical blockers: https://github.com/rust-secure-code/cargo-auditable/issues/128

Note that you need v0.7.0 to get those improvements while Debian currently packages v0.6.6, but the upgrade should be trivial.

`cargo auditable` is already used by many distributions. Alpine, OpenSUSE, NixOS and others already build all their Rust packages with it. There are also lots of tools to extract this data and check for security vulnerabilities; even Docker itself understands it.

Integration of cargo-auditable into the Debian build process should be fairly straightforward. Since Debian already uses a Cargo wrapper at /usr/share/cargo/bin/cargo, you can follow the usual drop-in replacement approach easily.

I'd be glad to see the ecosystem converge on a more unified way of tracking Rust dependencies. I'm happy to answer any questions.

Cheers,

Shnatsel